CN111294352A - Data security authentication method between cloud and edge node - Google Patents

Data security authentication method between cloud and edge node Download PDF

Info

Publication number
CN111294352A
CN111294352A CN202010078891.8A CN202010078891A CN111294352A CN 111294352 A CN111294352 A CN 111294352A CN 202010078891 A CN202010078891 A CN 202010078891A CN 111294352 A CN111294352 A CN 111294352A
Authority
CN
China
Prior art keywords
cloud
edge node
authentication
registration
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010078891.8A
Other languages
Chinese (zh)
Other versions
CN111294352B (en
Inventor
柳彩云
何小龙
孙岩
陈雪鸿
杨帅锋
李俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Industrial Control Systems Cyber Emergency Response Team
Original Assignee
China Industrial Control Systems Cyber Emergency Response Team
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Industrial Control Systems Cyber Emergency Response Team filed Critical China Industrial Control Systems Cyber Emergency Response Team
Priority to CN202010078891.8A priority Critical patent/CN111294352B/en
Publication of CN111294352A publication Critical patent/CN111294352A/en
Application granted granted Critical
Publication of CN111294352B publication Critical patent/CN111294352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a data security authentication method between a cloud end and edge nodes, which provides a set of bidirectional identity authentication protocol between the edge nodes and the cloud end, can ensure the authenticity and effectiveness of the cloud end and the edge node identities, avoids malicious attacks from permeating into a core network, and greatly ensures the security of an industrial internet. The method introduces an elliptic curve cryptographic algorithm to encrypt key data in the authentication process, has small algorithm key size, system parameters and storage space, high operation speed and the highest security strength of each bit, is suitable for the authentication environment of edge computing nodes with limited computing resources and storage resources, avoids data plaintext transmission leakage risks, avoids replay attack through a timestamp, simplifies hash iterative operation of a one-time password authentication protocol, has higher security compared with the original authentication protocol, improves the operation efficiency, and can meet the requirements of the authentication security of the edge computing nodes in the environment with limited resources of the edge nodes.

Description

Data security authentication method between cloud and edge node
Technical Field
The invention relates to the technical field of communication security, in particular to a data security authentication method between a cloud and an edge node.
Background
Currently, the industrial internet gradually becomes a new industrial application mode, wherein the industrial internet platform is an important hub for connecting industrial enterprises and user enterprises, the intellectualization and the high efficiency of industrial production are greatly promoted, but the concentrated cloud processing aggravates the cloud load, and the edge computing application is generated for reducing the cloud load of the industrial internet platform. In an edge computing scene, an edge cloud and edge nodes can process and analyze data nearby, the cloud is responsible for centralized processing and storage of the data, and the edge nodes and the cloud cooperate to greatly reduce cloud load and data transmission quantity. In addition, most of the existing industrial communication protocols do not provide an authentication function, so that the safety problems of identity counterfeiting and the like are caused.
Disclosure of Invention
The invention aims to solve the technical problem of bidirectional identity authentication between an edge node and a cloud, and provides a data security authentication method between the cloud and the edge node.
The cloud data security authentication method provided by the embodiment of the invention comprises the following steps:
a10: generating a first random number, and sending a first authentication message encrypted by a cloud public key to a cloud;
a20: receiving a first response message responded by the cloud based on the first authentication message, and verifying whether the cloud is legal or not based on the first response message;
wherein the first response message is: the cloud analyzes the first authentication message to obtain an edge node id and the first random number, and calculates to obtain the first response message based on a node public key corresponding to the edge node id and the first random number.
According to the cloud-side data security authentication method, identity authentication is performed in the edge computing and cloud-side data transmission process in the industrial internet, key information in the authentication process is encrypted and protected, the key size and system parameters are small, the consumed storage space is small, the operation speed is high, the highest security strength of each bit is achieved, the cloud-side data security authentication method is suitable for the authentication environment of edge computing nodes with limited computing resources and storage resources, and the cloud-side data security authentication method has a reliable and light-weight encryption function.
According to some embodiments of the invention, the verifying whether the cloud is legitimate based on the first response message includes:
calculating to obtain a first verification message based on the node public key and the first random number;
judging whether the first verification message is consistent with the first response message or not, and if so, judging that the cloud end is legal; otherwise, the cloud authentication fails.
In some embodiments of the present invention, before sending the first authentication message to the cloud, the method further includes registering the edge node, and the registering method includes:
b10: sending registration request information carrying edge node id to the cloud;
b20: receiving registration response information responded by the cloud based on the registration request information, generating a node public key and a node private key of the edge node based on the registration response information, and sending registration information generated based on the node public key to the cloud;
b30: and the cloud terminal analyzes the registration information, acquires and stores the node public key so as to complete the registration of the edge node.
According to some embodiments of the invention, the registration method further comprises:
after receiving the registration request message, the cloud end queries a registry aiming at the edge node id so as to judge whether the edge node is registered;
when the edge node is unregistered, storing current timestamp information and the edge node id, and generating the registration response information.
In some embodiments of the present invention, the method for generating the registration response message includes:
c10: the cloud generates a second random number as a cloud private key of the cloud, and generates a security elliptic curve;
c20: selecting a base point from the safe elliptic curve, and generating a cloud public key of the cloud based on the base point;
c30: and generating the registration response information based on the cloud public key, the safe elliptic curve and the base point.
The data security authentication method of the edge node according to the embodiment of the invention comprises the following steps:
d10: generating a third random number, and sending a second authentication message encrypted by the node public key to the edge node;
d20: receiving a second response message responded by the edge node based on the second authentication message, and verifying whether the edge node is legal or not based on the second response message;
wherein the second response message is: and the edge node analyzes the second authentication message to obtain the third random number, and calculates to obtain the second response message based on the third random number.
According to the data security authentication method of the edge node, identity authentication is performed in the edge computing and cloud data transmission process in the industrial internet, key information in the authentication process is encrypted and protected, the key size and system parameters are small, the consumed storage space is small, the operation speed is high, the highest security strength of each bit is achieved, the method is suitable for the authentication environment of the edge computing node with limited computing resources and storage resources, and the reliable and light-weight encryption function is achieved.
According to some embodiments of the invention, the verifying whether the edge node is legitimate based on the second response message includes:
obtaining a second verification message based on the third random number calculation;
judging whether the second verification message is consistent with the second response message or not, and if so, judging that the edge node is legal; otherwise, the edge node fails in authentication.
In some embodiments of the present invention, before sending the second authentication message to the edge node, the method further includes registration of the edge node, and the registration method includes:
b10: sending registration request information carrying edge node id to a cloud;
b20: receiving registration response information responded by the cloud based on the registration request information, generating a node public key and a node private key of the edge node based on the registration response information, and sending registration information generated based on the node public key to the cloud;
b30: and the cloud terminal analyzes the registration information, acquires and stores the node public key so as to complete the registration of the edge node.
According to some embodiments of the invention, the registration method further comprises:
after receiving the registration request message, the cloud end queries a registry aiming at the edge node id so as to judge whether the edge node is registered;
when the edge node is unregistered, storing current timestamp information and the edge node id, and generating the registration response information.
In some embodiments of the present invention, the method for generating the registration response message includes:
c10: the cloud generates a second random number as a cloud private key of the cloud, and generates a security elliptic curve;
c20: selecting a base point from the safe elliptic curve, and generating a cloud public key of the cloud based on the base point;
c30: and generating the registration response information based on the cloud public key, the safe elliptic curve and the base point.
Drawings
Fig. 1 is a flowchart of a data security authentication method in a cloud according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for registering an edge node in a cloud according to an embodiment of the present invention;
fig. 3 is a flowchart of a registration information generation method according to an embodiment of the present invention;
fig. 4 is a flowchart of a data security authentication method of an edge node according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a data transmission process between an edge node and a cloud according to an embodiment of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention to achieve the intended purpose, the present invention will be described in detail with reference to the accompanying drawings and preferred embodiments.
With the development of industrial internet platforms, the cloud of industrial data becomes a necessary way for realizing intelligent production operation in the industrial field. But the industrial internet has huge data volume, high real-time requirement and various cloud forms on the data. From the viewpoint of data sources and typical application requirements, there are six forms of industrial internet data uploading and downloading, which are respectively: the transmission between the cloud and the office network data of the cooperative layer aims to promote the cooperative and intelligent performance of the enterprise office business system; data transmission between the cloud and an enterprise level production management system, such as an ERP system, is mainly used for promoting enterprise intelligent decision; data transmission between the cloud and the vehicle interlayers, such as an MES system, mainly promotes intelligent production scheduling; data transmission between the cloud and a control layer, such as an SCADA (supervisory control and data acquisition), mainly facilitates intelligent control and monitoring analysis of data; direct data interaction between the cloud and a field device layer, such as terminal acquisition points of an industrial sensor and the like; data bidirectional transmission between cloud and the edge node, this kind of form is mainly applicable to in the scene that has the edge to calculate, and for five kinds of former forms, this form is in order to alleviate central cloud end load, and the data that have gathered edge terminal upload the cloud end after certain calculation, and its data interaction includes two kinds of forms: the cloud initiates a request to the edge node, and the edge node performs certain calculation and processing on the acquired data and uploads the processed data to the cloud. Most of the existing industrial communication protocols do not provide an authentication function, and the current common data security authentication protocol is difficult to meet the authentication requirements of real-time performance and security under the complex scene.
Identity authentication is one of the important mechanisms for realizing network security, and the traditional identity authentication technology has been applied to a plurality of information technology fields. More classically, there are the following three authentication mechanisms: the method is an authentication mode based on DCE/Kerberos, which is a very secure two-way authentication technology and mainly emphasizes the authentication of a client to a server; secondly, an authentication mechanism based on a public key is adopted, and the mode realizes identity authentication by issuing identity certificates for users through third party Certificate Authority (CA); and thirdly, an identity authentication mechanism based on a challenge/response mode, in the mode, an authentication server side sends a different 'challenge' string to a client side every time of authentication, and a client side program makes a corresponding 'response' after receiving the 'challenge', for example, a Radius authentication mechanism adopts the mode to carry out authentication. The one-time password authentication protocol (OTP) is widely applied to authentication of limited nodes due to a small amount of overall operation, but each time authentication is performed, multiple rounds of iterative hash operations are performed, which seriously affects the authentication operation efficiency and has insufficient security.
In the current common authentication protocol, the OTP protocol is a common authentication protocol for identity authentication because of its simplicity and convenience. However, this protocol has the following disadvantages:
firstly, during each authentication, multiple rounds of iterative hash operation are required, and the authentication operation efficiency is seriously influenced;
secondly, because the protocol lacks a data encryption process, the Seed value Seed and the iteration number N are both plaintext transmission, and only one-way authentication is provided, the protocol may face the threats of server-side impersonation attack, password leakage and decimal attack.
Thirdly, because the secret passphrase of the user side is generated by the user side, the complexity of the password cannot be guaranteed, the password generation habit is tracked or leaked, and the user side is easily attacked by a dictionary or guess attack.
The invention provides an edge computing node and cloud end identity authentication method based on an ECC (error correction code) encryption algorithm and one-time password authentication, which improves the security problems of a one-time password authentication protocol, such as easy decimal attack and the like, so as to meet the requirements of high security, high dynamic and low time delay of edge computing and cloud end authentication.
The data security authentication method between the cloud and the edge node provided by the invention comprises the following steps: the method comprises a cloud data security authentication method, an edge node data authentication method and an edge node registration method.
As shown in fig. 1, the cloud data security authentication method according to the embodiment of the present invention includes:
a10: generating a first random number, and sending a first authentication message encrypted by a cloud public key to a cloud;
during the cloud security data authentication, the edge node may generate a first random number R1And generating a first authentication message M after encrypting the id of the edge node through a cloud public key1I.e. M1=Ekcp(id, R1) Subsequently adding M1And sending the data to the cloud.
A20: receiving a first authentication message M based on cloud1Echoed first echo message M2And based on the first response message M2Verifying whether the cloud is legal or not;
wherein, the first response message M2Comprises the following steps: cloud terminal analyzes first authentication message M1To obtain the edge node id and the first random number R1And based on the node public key corresponding to the edge node id and the first random number R1Calculating to obtain a first response message M2
It should be noted that the cloud receives the first authentication message M1Thereafter, the first authentication message is parsedM1Extracting the edge node id and the first random number R1And stores the time stamp TiThen inquiring node public keys pw and H (T) bound by the edge node idi-1). Then, the cloud connects pw and R, and performs a hash operation to obtain a first response message M2I.e. M2=H(pw||R1). The edge node receives the first response message M2Then, the first response message M can be based on2And verifying the validity of the cloud.
According to the cloud-side data security authentication method, identity authentication is performed in the edge computing and cloud-side data transmission process in the industrial internet, key information in the authentication process is encrypted and protected, the key size and system parameters are small, the consumed storage space is small, the operation speed is high, the highest security strength of each bit is achieved, the cloud-side data security authentication method is suitable for the authentication environment of edge computing nodes with limited computing resources and storage resources, and the cloud-side data security authentication method has a reliable and light-weight encryption function.
According to some embodiments of the invention, the first response message M is based on2Verifying whether the cloud is legal or not, comprising:
based on node public key pw and first random number R1Calculating to obtain a first verification message M3(ii) a Thereby, a first authentication message M is obtained3,M3=H(pw||R)。
Determining a first authentication message M3With the first response message M2If the cloud end is consistent with the cloud end, the cloud end is legal; otherwise, the cloud authentication fails.
As shown in fig. 4, the data security authentication method of the edge node according to the embodiment of the present invention includes:
d10: generating a third random number, and sending a second authentication message encrypted by the node public key to the edge node;
when data security authentication of the edge node is performed, the cloud end can generate a third random number R3And encrypting by using the node public key of the edge node to obtain a second authentication message M4=Epw(R3||H(Ti-1)),Subsequently, the second authentication message M4And sending the data to the edge node.
D20: receiving the edge node based on the second authentication message M4Responded second response message M5And based on the second response message M5Verifying whether the edge node is legal or not;
wherein the second response message M5Comprises the following steps: the edge node parses the second authentication message M4To obtain a third random number R3And based on the third random number R3Calculating to obtain a second response message M5
It should be noted that M is after the edge node receives the second authentication message4Parsing the second authentication message M4Obtaining a third random number R3A third random number R3And storing the time stamp TiPerforming hash operation to obtain a second response message M5,M5=H(R3||H(Ti-1) And send to the cloud. The cloud end receives a second response message M5Then, the second response message M can be based on5And verifying the validity of the cloud.
According to the data security authentication method of the edge node, identity authentication is performed in the edge computing and cloud data transmission process in the industrial internet, key information in the authentication process is encrypted and protected, the key size and system parameters are small, the consumed storage space is small, the operation speed is high, the highest security strength of each bit is achieved, the method is suitable for the authentication environment of the edge computing node with limited computing resources and storage resources, and the reliable and light-weight encryption function is achieved.
According to some embodiments of the invention, the second response message M is based on5Verifying whether the edge node is legal or not, comprising:
based on the third random number R3Calculating to obtain a second verification message M6(ii) a Thereby, a second authentication message M is obtained6,M6=H(R3||Ti-1)。
Determining a second authentication message M6And a second response message M5Whether they match, if soIf the edge nodes are matched, the edge nodes are legal; otherwise, the edge node fails authentication.
It should be noted that, before performing data security authentication between the cloud and the edge node, registration of the edge node is further included, as shown in fig. 2, the registration method includes:
b10: sending registration request information carrying edge node id to a cloud; that is, the edge node may send its id as registration request information to the cloud.
B20: receiving registration response information responded by the cloud based on the registration request information, generating a node public key and a node private key of the edge node based on the registration response information, and sending registration information generated based on the node public key to the cloud;
b30: and the cloud terminal analyzes the registration information, and acquires and stores the node public key to complete the registration of the edge node.
According to some embodiments of the invention, the registration method further comprises:
after receiving the registration request message, the cloud end inquires a registry aiming at the edge node id so as to judge whether the edge node is registered; and when the edge node is unregistered, storing the current timestamp information and the edge node id and generating registration response information.
That is to say, after receiving the registration request information sent by the edge node, the cloud firstly checks the existing registration table, judges whether the edge node id is registered, stops registration if the edge node id is found to be the same id, and actively acquires and stores the current timestamp T if the edge node id is not the same idi-1And stores the id, and then responds the registration response information to the edge node.
In some embodiments of the present invention, as shown in fig. 3, the method for generating the registration response message includes:
c10: the cloud generates a second random number as a cloud private key of the cloud, and generates a security elliptic curve;
that is, the cloud receives the registration request information, and stores the edge node id and the current timestamp Ti-1Then, a safety elliptic curve E (GF (2m)) is generated, and a second random number is generated
Figure BDA0002379562390000091
As a cloud private key kcs
C20: selecting a base point from the safety elliptic curve, and generating a cloud public key of a cloud based on the base point;
that is, after the cloud generates the secure elliptic curve E (GF (2m)), a base point P (xp, yp) can be selected and k can be calculatedcp=kcsP is used as a cloud public key.
C30: and generating registration response information based on the cloud public key, the safe elliptic curve and the base point.
That is, the cloud sends its own public key kcpAnd the secure elliptic curve E (GF (2m)) and the base point P (xp, yp) are sent to the edge node as registration response information. Edge node pair current timestamp Ti-1Doing a hash operation and storing H (T)i-1) And cloud public key kcpThen, a node public key pw and a node private key sw of the self are generated according to the relevant parameters of the elliptic curve and the edge node id, and then N is formed together with the node public key pw and the ECC, namely N is (k ═cp||ECC||H(Ti-1) Send to the cloud. Storing node public keys pw and H (T) after cloud receives and disassembles the informationi-1) The registration of the edge node is completed.
The following describes in detail a data security authentication method between a cloud and an edge node according to an embodiment of the present invention. It is to be understood that the following description is only exemplary, and not a specific limitation of the invention.
The invention provides an identity authentication protocol of an edge node and a cloud of an industrial Internet based on a one-time password authentication idea and an ECC algorithm. The invention realizes the bidirectional identity authentication of the edge computing node and the cloud by using an improved one-time password authentication protocol and an ECC algorithm. The scheme makes full use of the advantages of high performance and flexibility of an ECC encryption algorithm, and provides a lightweight bidirectional identity authentication scheme by improving a one-time password authentication protocol from the aspect of security, so that the identity authentication of the edge node and the cloud end can be completed safely and quickly.
The invention adopts the following technical scheme for realizing the aim of the invention:
the identity authentication scheme of the edge node and the cloud comprises two parts. Respectively a registration phase and an authentication phase. The scheme is as follows:
a registration stage:
the registration stage is formed by storing mutual identity information of the edge nodes and the cloud. Firstly, the edge node sends its id as registration request information to the cloud. After receiving the registration request, the cloud firstly checks the existing registry, judges whether the label is registered or not, stops registering if the same id is found, and actively acquires and stores the current timestamp T if the same id is not foundi-1And stores the id, and then generates a safe elliptic curve E (GF (2m)), and selects a base point P (x) on the safe elliptic curve EP,yP) Then generating a second random number
Figure RE-GDA0002470738510000101
Cloud private key k as selfcsWhile calculating kcp=kcsP is taken as the cloud public key of the P, and then k is takencpAnd E (GF (2m)), P point sends to the edge node; after receiving the message from the cloud end, the edge node carries out the T pairi-1Performing a hash operation and storing H (T)i-1) And cloud public key kcpThen, generating a node public key pw and a node private key sw according to the elliptic curve related parameters and id, and then forming N together with pw and ECC, namely N is (k)cp‖ECC‖H(Ti-1) Send to the cloud; after the cloud receives N, the message is disassembled and pw and H (T) are storedi-1)。
And (3) an authentication stage:
first, the edge node generates a first random number R1And generating a first authentication message M after encrypting the id of the authentication message M through a cloud public key1I.e. M1=Ekcp(id,R1) Subsequently adding M1Sending the data to a cloud end; when the cloud receives the message, the message is disassembled, and the id and the first random number R are extracted1Storing TiAnd then query the id bindingConstant pw and H (T)i-1). Cloud then compares pw, R1Connecting, performing a hash operation, and obtaining a first response message M2I.e. M2H (pw | | R), and then sends it to the edge node; the edge node acquires a first response message M2Then, the node public key pw of the self and the first random number R are used1Carrying out Hash operation to obtain a first verification message M3H (pw R), verify M2And M3And if so, the cloud is legal, otherwise, the communication is terminated, and the authentication fails.
Then, the cloud generates a third random number R3And using the node public key of the edge node to match the third random number R3Encrypting to obtain a second authentication message M4=Epw(R3||H(Ti-1) ) followed by a second authentication message M4Sending the data to the edge node; edge node receives M4Then, the private key of the node is used for decryption to obtain R3And R is3Performing hash operation with the stored timestamp to obtain a second response message M5=H(R3||H(Ti-1) And M is5Sending to the cloud; after receiving the message, the cloud end performs the same hash operation to obtain a second verification message M6If at all, M5And M6And if the two are equal, the authentication is passed, otherwise, the authentication fails.
In summary, the present invention provides a set of bidirectional identity authentication protocols between edge nodes and a cloud, aiming at the problem that the security and the rapidity of the authentication protocol between the cloud and the edge nodes of the industrial internet platform are not sufficient. The protocol changes the one-way OTP protocol into the two-way identity authentication protocol, can simultaneously ensure the authenticity and effectiveness of the cloud and the edge node identity, avoids malicious attack from permeating into a core network, and greatly ensures the safety of the industrial Internet.
The protocol introduces an elliptic curve cryptographic algorithm to encrypt key data in an authentication process, the cryptographic algorithm has small key size and system parameters, small consumed storage space, high operation speed and the highest safety intensity of each bit, is suitable for the authentication environment of edge computing nodes with limited computing resources and storage resources, has a reliable and light-weight encryption function, avoids the risk of data plaintext transmission leakage, avoids replay attack through a timestamp, simplifies the Hash iterative operation of a one-time password authentication protocol, has higher safety compared with the original authentication protocol, improves the operation efficiency, and can meet the requirement of authentication safety in the environment with limited edge node resources.
In addition, the scheme is an improvement based on OTP authentication, inherits the convenience requirement of the OTP scheme, and simultaneously improves the OTP in the aspects of convenience and safety as follows:
firstly, information in the authentication process is encrypted, so that the confidentiality of the authentication information is protected;
secondly, a Hash iteration method is not adopted in the protocol, and simple Hash calculation is adopted in the authentication process, so that the calculated amount in the authentication is simplified, and decimal attack is avoided;
and thirdly, the computing node adopts the identity as a public key pw, thereby simplifying the password generation process.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.

Claims (10)

1. A cloud data security authentication method is characterized by comprising the following steps:
generating a first random number, and sending a first authentication message encrypted by a cloud public key to a cloud;
receiving a first response message responded by the cloud based on the first authentication message, and verifying whether the cloud is legal based on the first response message;
wherein the first response message is: the cloud analyzes the first authentication message to obtain an edge node id and the first random number, and calculates to obtain the first response message based on a node public key corresponding to the edge node id and the first random number.
2. The cloud data security authentication method of claim 1, wherein the verifying whether the cloud is legitimate based on the first response message comprises:
calculating to obtain a first verification message based on the node public key and the first random number;
judging whether the first verification message is consistent with the first response message or not, and if so, determining that the cloud is legal; otherwise, the cloud authentication fails.
3. The cloud data security authentication method of claim 1, further comprising registering the edge node before sending the first authentication message to the cloud, the registering method comprising:
sending registration request information carrying edge node id to the cloud;
receiving registration response information responded by the cloud based on the registration request information, generating a node public key and a node private key of the edge node based on the registration response information, and sending registration information generated based on the node public key to the cloud;
and the cloud terminal analyzes the registration information, acquires and stores the node public key so as to complete the registration of the edge node.
4. The cloud data security authentication method of claim 3, wherein the registration method further comprises:
after receiving the registration request message, the cloud end queries a registry aiming at the edge node id so as to judge whether the edge node is registered;
and when the edge node is unregistered, storing the current timestamp information and the edge node id and generating the registration response information.
5. The cloud data security authentication method according to claim 4, wherein the generation method of the registration response message comprises:
the cloud generates a second random number as a cloud private key of the cloud, and generates a security elliptic curve;
selecting a base point from the safe elliptic curve, and generating a cloud public key of the cloud based on the base point;
and generating the registration response information based on the cloud public key, the safe elliptic curve and the base point.
6. A data security authentication method of an edge node is characterized by comprising the following steps:
generating a third random number, and sending a second authentication message encrypted by a node public key to the edge node;
receiving a second response message responded by the edge node based on the second authentication message, and verifying whether the edge node is legal based on the second response message;
wherein the second response message is: and the edge node analyzes the second authentication message to obtain the third random number, and calculates to obtain the second response message based on the third random number.
7. The method of claim 6, wherein the verifying whether the edge node is legitimate based on the second response message comprises:
obtaining a second verification message based on the third random number calculation;
judging whether the second verification message is consistent with the second response message or not, if so, judging that the edge node is legal; otherwise, the edge node fails in authentication.
8. The data security authentication method of the edge node according to claim 6, further comprising registration of the edge node before sending the second authentication message to the edge node, the registration method comprising:
sending registration request information carrying edge node id to a cloud;
receiving registration response information responded by the cloud based on the registration request information, generating a node public key and a node private key of the edge node based on the registration response information, and sending registration information generated based on the node public key to the cloud;
and the cloud terminal analyzes the registration information, acquires and stores the node public key so as to complete the registration of the edge node.
9. The data security authentication method of the edge node according to claim 8, wherein the registration method further comprises:
after receiving the registration request message, the cloud end queries a registry aiming at the edge node id so as to judge whether the edge node is registered;
and when the edge node is unregistered, storing the current timestamp information and the edge node id and generating the registration response information.
10. The method of claim 9, wherein the generating of the registration response message comprises:
the cloud generates a second random number as a cloud private key of the cloud, and generates a security elliptic curve;
selecting a base point from the safe elliptic curve, and generating a cloud public key of the cloud based on the base point;
and generating the registration response information based on the cloud public key, the safe elliptic curve and the base point.
CN202010078891.8A 2020-02-03 2020-02-03 Data security authentication method between cloud and edge node Active CN111294352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010078891.8A CN111294352B (en) 2020-02-03 2020-02-03 Data security authentication method between cloud and edge node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010078891.8A CN111294352B (en) 2020-02-03 2020-02-03 Data security authentication method between cloud and edge node

Publications (2)

Publication Number Publication Date
CN111294352A true CN111294352A (en) 2020-06-16
CN111294352B CN111294352B (en) 2022-06-14

Family

ID=71022366

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010078891.8A Active CN111294352B (en) 2020-02-03 2020-02-03 Data security authentication method between cloud and edge node

Country Status (1)

Country Link
CN (1) CN111294352B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935087A (en) * 2020-07-02 2020-11-13 上海微亿智造科技有限公司 Authentication verification method and system for gateway receiving large data volume through industrial internet
CN112203280A (en) * 2020-10-10 2021-01-08 北京航空航天大学 Data credible transmission mechanism facing edge gateway
CN112565241A (en) * 2020-12-01 2021-03-26 杭州思源信息技术股份有限公司 Community Internet of things perception system based on smart skynet and construction method
CN112866197A (en) * 2020-12-31 2021-05-28 北京安御道合科技有限公司 Password edge calculation method and system for realizing security of terminal of Internet of things and terminal
CN112910977A (en) * 2021-01-26 2021-06-04 梁新祥 Building electric power safety alarm system
CN112995171A (en) * 2021-02-24 2021-06-18 国网江苏省电力有限公司信息通信分公司 Cloud computing container management method based on region position
CN113422683A (en) * 2021-03-04 2021-09-21 上海数道信息科技有限公司 Edge cloud cooperative data transmission method, system, storage medium and terminal
CN113783953A (en) * 2021-08-31 2021-12-10 上海慧程智能系统有限公司 Industrial Internet of things network management and control method and system based on cloud edge cooperation
CN114338166A (en) * 2021-12-29 2022-04-12 支付宝(杭州)信息技术有限公司 Edge device risk processing method, device, equipment and cloud server
CN114900288A (en) * 2022-05-23 2022-08-12 科大天工智能装备技术(天津)有限公司 Industrial environment authentication method based on edge service
CN115208922A (en) * 2022-07-15 2022-10-18 鹿马智能科技(上海)有限公司 Hotel management system based on edge calculation
CN116032666A (en) * 2023-03-29 2023-04-28 广东致盛技术有限公司 Bian Yun cooperative equipment camouflage identification method and system based on learning model
CN117729056A (en) * 2024-02-09 2024-03-19 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Equipment identity authentication method and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789476A (en) * 2016-12-29 2017-05-31 Tcl集团股份有限公司 A kind of gateway communication method and system
CN108173882A (en) * 2018-03-01 2018-06-15 北京科技大学 Edge calculations node identities authentication method based on aes algorithm
CN108366063A (en) * 2018-02-11 2018-08-03 广东美的厨房电器制造有限公司 Data communications method, device and its equipment of smart machine
CN109167778A (en) * 2018-08-28 2019-01-08 南京邮电大学 Terminal device is without identity common authentication method in Internet of Things
CN109873815A (en) * 2019-01-28 2019-06-11 西安电子科技大学 Isomeric compound networking certification method based on edge calculations, Internet of Things security platform
CN110099367A (en) * 2019-04-26 2019-08-06 河南工学院 Car networking secure data sharing method based on edge calculations
US20190312877A1 (en) * 2016-12-23 2019-10-10 Cloudminds (Shenzhen) Robotics Systems Co., Ltd. Block chain mining method, device, and node apparatus
CN110636062A (en) * 2019-09-20 2019-12-31 百度在线网络技术(北京)有限公司 Method and device for controlling secure interaction of equipment, electronic equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190312877A1 (en) * 2016-12-23 2019-10-10 Cloudminds (Shenzhen) Robotics Systems Co., Ltd. Block chain mining method, device, and node apparatus
CN106789476A (en) * 2016-12-29 2017-05-31 Tcl集团股份有限公司 A kind of gateway communication method and system
CN108366063A (en) * 2018-02-11 2018-08-03 广东美的厨房电器制造有限公司 Data communications method, device and its equipment of smart machine
CN108173882A (en) * 2018-03-01 2018-06-15 北京科技大学 Edge calculations node identities authentication method based on aes algorithm
CN109167778A (en) * 2018-08-28 2019-01-08 南京邮电大学 Terminal device is without identity common authentication method in Internet of Things
CN109873815A (en) * 2019-01-28 2019-06-11 西安电子科技大学 Isomeric compound networking certification method based on edge calculations, Internet of Things security platform
CN110099367A (en) * 2019-04-26 2019-08-06 河南工学院 Car networking secure data sharing method based on edge calculations
CN110636062A (en) * 2019-09-20 2019-12-31 百度在线网络技术(北京)有限公司 Method and device for controlling secure interaction of equipment, electronic equipment and storage medium

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
孙岩等: "边缘计算在工业互联网中应用的安全问题研究", 《保密科学技术》 *
孙岩等: "边缘计算在工业互联网中应用的安全问题研究", 《保密科学技术》, 30 November 2019 (2019-11-30) *
杨小宝等: "基于智能卡的云终端设备安全接入", 《西安邮电大学学报》 *
杨小宝等: "基于智能卡的云终端设备安全接入", 《西安邮电大学学报》, vol. 20, no. 2, 10 March 2015 (2015-03-10) *
马媛媛等: "边缘计算场景下的异构终端安全接入技术研究", 《计算机工程与应用》 *
马媛媛等: "边缘计算场景下的异构终端安全接入技术研究", 《计算机工程与应用》, 31 October 2019 (2019-10-31) *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935087B (en) * 2020-07-02 2021-04-06 上海微亿智造科技有限公司 Authentication verification method and system for gateway receiving large data volume through industrial internet
CN111935087A (en) * 2020-07-02 2020-11-13 上海微亿智造科技有限公司 Authentication verification method and system for gateway receiving large data volume through industrial internet
CN112203280A (en) * 2020-10-10 2021-01-08 北京航空航天大学 Data credible transmission mechanism facing edge gateway
CN112203280B (en) * 2020-10-10 2024-02-09 北京航空航天大学 Data trusted transmission mechanism oriented to edge gateway
CN112565241A (en) * 2020-12-01 2021-03-26 杭州思源信息技术股份有限公司 Community Internet of things perception system based on smart skynet and construction method
CN112866197A (en) * 2020-12-31 2021-05-28 北京安御道合科技有限公司 Password edge calculation method and system for realizing security of terminal of Internet of things and terminal
CN112910977A (en) * 2021-01-26 2021-06-04 梁新祥 Building electric power safety alarm system
CN112995171A (en) * 2021-02-24 2021-06-18 国网江苏省电力有限公司信息通信分公司 Cloud computing container management method based on region position
CN113422683B (en) * 2021-03-04 2023-05-26 上海数道信息科技有限公司 Edge cloud cooperative data transmission method, system, storage medium and terminal
CN113422683A (en) * 2021-03-04 2021-09-21 上海数道信息科技有限公司 Edge cloud cooperative data transmission method, system, storage medium and terminal
CN113783953A (en) * 2021-08-31 2021-12-10 上海慧程智能系统有限公司 Industrial Internet of things network management and control method and system based on cloud edge cooperation
CN114338166A (en) * 2021-12-29 2022-04-12 支付宝(杭州)信息技术有限公司 Edge device risk processing method, device, equipment and cloud server
CN114900288A (en) * 2022-05-23 2022-08-12 科大天工智能装备技术(天津)有限公司 Industrial environment authentication method based on edge service
CN114900288B (en) * 2022-05-23 2023-08-25 北京科技大学 Industrial environment authentication method based on edge service
CN115208922B (en) * 2022-07-15 2023-11-03 鹿马智能科技(上海)有限公司 Hotel management system based on edge calculation
CN115208922A (en) * 2022-07-15 2022-10-18 鹿马智能科技(上海)有限公司 Hotel management system based on edge calculation
CN116032666A (en) * 2023-03-29 2023-04-28 广东致盛技术有限公司 Bian Yun cooperative equipment camouflage identification method and system based on learning model
CN116032666B (en) * 2023-03-29 2023-09-22 广东致盛技术有限公司 Bian Yun cooperative equipment camouflage identification method and system based on learning model
CN117729056A (en) * 2024-02-09 2024-03-19 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Equipment identity authentication method and system
CN117729056B (en) * 2024-02-09 2024-05-03 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Equipment identity authentication method and system

Also Published As

Publication number Publication date
CN111294352B (en) 2022-06-14

Similar Documents

Publication Publication Date Title
CN111294352B (en) Data security authentication method between cloud and edge node
CN109922077B (en) Identity authentication method and system based on block chain
CN112583596B (en) Complete cross-domain identity authentication method based on block chain technology
Chen et al. Efficient certificateless online/offline signcryption scheme for edge IoT devices
CN111711607B (en) Block chain-based flow type micro-service trusted loading and verifying method
Chom Thungon et al. A lightweight authentication and key exchange mechanism for IPv6 over low‐power wireless personal area networks‐based Internet of things
He et al. A lightweight authentication and key exchange protocol with anonymity for IoT
CN114124371A (en) Certificateless public key searchable encryption method meeting MTP (Multi-time programmable) security
Yang et al. Provably Secure Client‐Server Key Management Scheme in 5G Networks
CN111106928A (en) NTP protocol enhanced information processing system and method based on cryptographic algorithm
CN117155615A (en) Data encryption transmission method, system, electronic equipment and storage medium
WO2023236551A1 (en) Decentralized trusted access method for cellular base station
CN111065097B (en) Channel protection method and system based on shared secret key in mobile internet
CN112039837A (en) Electronic evidence preservation method based on block chain and secret sharing
Zahednejad et al. A Lightweight, Secure Big Data‐Based Authentication and Key‐Agreement Scheme for IoT with Revocability
Liou et al. T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs
CN114422106A (en) Internet of things system security authentication method and system under multi-server environment
Xu et al. A decentralized lightweight authentication protocol under blockchain
Liu et al. pKAS: A Secure Password‐Based Key Agreement Scheme for the Edge Cloud
Liu et al. A hash-based secure interface on plain connection
CN112311545A (en) Cloud MES system based transmission method for multiple encryption of user login information
Li et al. Physical unclonable function based identity management for IoT with blockchain
CN115955320A (en) Video conference identity authentication method
CN112689283B (en) Key protection and negotiation method, system and storage medium
CN114095229A (en) Method, device and system for constructing data transmission protocol of energy Internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant